The security of data that is being transmitted over a network is one of the key responsibilities of a security engineer/administrator. One of the ways that this data can be secured is by using IP Security (IPsec). IPsec can be configured on the Cisco Adaptive Security Appliance (ASA) to secure data going between LAN devices (LAN-to-LAN) and between a LAN device and an IPsec client (e.g., Windows, Linux, or Mac clients). Sean Wilkins goes over the high-level basics of how IPsec operates and how it can be configured on a Cisco ASA.

From the author of

From the author of

The security of data that is being transmitted over a network is one of the key responsibilities of a security engineer/administrator. One of the ways that this data can be secured is by using IP Security (IPsec). IPsec can be configured on the Cisco Adaptive Security Appliance (ASA) to secure data going between LAN devices (LAN-to-LAN) and between a LAN device and an IPsec client (e.g., Windows, Linux, or Mac clients).

This article goes over the high-level basics of how IPsec operates and how it can be configured on a Cisco ASA.

IPsec Basics

The Cisco ASA uses IPsec to create a secured channel (Virtual Private Network [VPN]), allowing data to be transmitted securely between LAN devices or between a LAN device and a networking client. These LAN devices or clients are referenced by IPsec as peers; officially, Cisco supports only connections between Cisco peers (LAN-to-LAN or LAN to clientrunning a Cisco VPN client), but because the ASA follows industry standards, connections to other vendors' equipment should work.

NOTE

By default, the ASA uses IPsec tunnel mode. The ASA does support IPsec transport mode, but the rest of this article will be written from the perspective of discussing and configuring an IPsec tunnel.

For two peers to successfully set up a secured connection (tunnel) between each other, they must be able to communicate and agree on a list of security parameters that both sides can support; this is referred to as a Security Association (SA). To set up an IPsec connection, there are actually two different SAs that are negotiated (phases). The first of these is used to set up the Internet Key Exchange (IKE) SA, which is used to provide a secured connection to negotiate the parameters for the second IPsec SA. It negotiates the parameters which will secure the main traffic that will flow through the connection (tunnel).

NOTE

One common protocol referenced in other articles and books refer to the Internet Security Association and Key Management Protocol (ISAKMP), which can often be used interchangeably with IKE. The easiest way to look at this is that ISAKMP is a framework that is defined to set up security associations (SAs). IKE uses this framework for IPsec.